CPM Automatic Updates

Offered as a new feature in CPM version 1.5, Automatic Updates allows you to automatically deliver and apply pattern file updates to your endpoints whenever new patterns are made available by Trend Micro.

To enable automatic updates, take the following steps:

  1. Run the Enable Automatic Updates – Server task on your server.
  2. Download the CPM Automatic Update Setup Script and run it on your server.
  3. Run the ‘Enable Automatic Updates – Endpoint’ Task on your endpoints.
  4. Ensure that there is a periodic policy action issued from the ‘Set ActiveUpdate Server Pattern Update Interval’ Task.
  5. Issue a policy action against all endpoints from the ‘Apply Automatic Updates’ Task.

These steps are described in detail below.

1. Run the ‘Enable Automatic Updates – Server’ Task

This action sets a flag on the server. When the flag is set, the ‘Set ActiveUpdate Server Pattern Update Interval’ policy action configured in step 4 will send a manifest of the latest available pattern updates to CPM endpoints.

Note: There is a corresponding ‘Disable Automatic Updates – Server’ Task.  Use this task if you want to stop all endpoints from automatically updating pattern files.

2. Run the CPM Automatic Update Setup Script

Download and run the CPM automatic update setup script on your server. You will need your deployment’s site administrator credentials and password. These are required in order to create a new console operator account. This account is used to send a manifest of the latest available pattern file versions to your endpoints whenever new patterns are downloaded from Trend Micro.

Note: Please read KB article CPM Automatic Updates - Running the CPM automatic update setup script for recommendations on running the script in various operating environments.

Note: This operator account should not be given administrative rights on any endpoints.

Note: It is recommended that you do not change the default values supplied by the script.

Note: The manifest of the latest pattern versions will only be made available to endpoints if automatic updates are enabled on the server. Refer to step 1.

3. Run the ‘Enable Automatic Updates – Endpoint’ Task

This action sets a flag on the endpoints targeted by the action. When the flag is set, the ‘Apply Automatic Updates’ policy action configured in step 5 will become relevant whenever new pattern files are made available by the policy action configured in Step 4. Only endpoints with the flag set will automatically apply pattern file updates.

Note: There is a corresponding ‘Disable Automatic Updates – Endpoint’ Task. If you want to stop some endpoints from automatically updating pattern files, target them with this disable task.

4. Issue a policy action from the ‘Set ActiveUpdate Server Pattern Update Interval’ Task

You have most likely already configured a policy action from this task. If you have not, please see the instructions in the Core Protection Module Users Guide.

Important Note: The setup process of automatic updates will not download a new pattern-set.  That action is still managed by the ‘Set ActiveUpdate Server Pattern Update Interval’ task.

A policy action of that task may already exist and the most recent pattern-set may have been downloaded prior to this automatic updates setup procedure. In that situation, a new pattern-set will not be available for automatic updates until the next set is downloaded from the Trend ActiveUpdate Server.

The caching behavior of the Trend CPM Server component only downloads new content from the Trend ActiveUpdate Server. To induce an immediate download of the latest pattern-set to use in automatic updates, please perform the following:

  1. Clear the CPM Server Component download cache - Delete the contents of folder [C:\Program Files\Trend Micro\Core Protection Module Server\download].
  2. Deploy an action from task 'Core Protection Module - Set ActiveUpdate Server Pattern Update Interval'.

5. Issue a policy action from the ‘Apply Automatic Updates’ Task

This policy action monitors the latest pattern file versions and applies them to endpoints with automatic updates enabled (refer to step 3). The action should be targeted at all computers and set with the following parameters:

  • Reapply whenever relevant
  • Reapply an unlimited number of times
  • Retry up to 99 times on failure